The 2025 PIPCA Measures may have the following significant changes on how businesses should protect PI:

1. Mandatory and normalised Compliance Audits

Both the 2021 PIPL and the 2025 PIPCA Measures make it clear that it is a legal obligation of businesses and other organisations to conduct Compliance Audits on PI protection, and that failure to conduct Compliance Audits in accordance with the law constitutes a violation of law. Businesses must fully incorporate Compliance Audits into their internal PI governance and compliance frameworks and promote the formation of normalised compliance audit mechanisms.

2. Restructuring of the regulatory evaluation system

Relevant regulatory authorities (including industry authorities) will gradually incorporate Compliance Audit requirements into core regulatory indicators. Whether an enterprise has carried out a Compliance Audit and the results of the Compliance Audit will become an important indicator to measure the PI protection capabilities of an entity. The relevant regulatory authorities may have new methodologies to evaluate PI protection levels of entities based on criteria such as the completeness of audit reports and the efficiency of problem rectification, and in such an evaluation system audit results will become relevant. As such, Compliance Audits will be an important basis for the regulatory authorities to implement hierarchical and categorical supervision.

3. The threshold for business cooperation has been raised

As the legal compliance is becomes a higher regulatory enforcement priority, business cooperation (i.e., procurement) involving PI flows between businesses will increasingly to focus on whether parties have carried out Compliance Audits and certain audit results may be an important prerequisite for cooperation. For example, some businesses may require bidders to provide independent Compliance Audit reports or promise that they have carried out Compliance Audits in accordance with the law and that there are no major compliance defects. Conducting and monitoring Compliance Audits will become an increasingly important requirement for supplier management.

4. Impact on government approvals

For some government-related work or projects involving the processing of PI by companies (such as the public listings of companies ), some government departments may explicitly require companies to provide compliance audit reports or relevant compliance statements. Failure to meet these conditions may result in companies not being able to obtain government approvals.

5. Barriers to public-private cooperation have been raised

For some projects involving the processing of PI, government departments may require suppliers to provide Compliance Audit reports or promise that Compliance Audits have been carried out in accordance with the law and that there are no major compliance defects. Businesses that do not meet these conditions may be disqualified from bidding for government procurement.

6. Compliance work is moving towards substance over form

The promulgation of the 2025 PIPCA Measures marks a deeper level of PI compliance work required by the relevant regulatory authorities. For a long time since the promulgation of the 2021 PIPL, the compliance work of many businesses has focused more on solving the basic problem of creating a PI protection compliance system. From this standpoint, many businesses prioritise establishing a comprehensive PI protection compliance framework that appears complete in form but lacks consideration of its substantial effectiveness in practice. As a means to comprehensively check the compliance of PI protection frameworks, Compliance Audits under the 2025 PIPCA Measures should focus more on reviewing the substance of compliance frameworks. This might involve asking the question "whether it is good or not" in each stage of a Compliance Audit. From this perspective, the protection of PI will inevitably take into account the effectiveness of PI protection compliance frameworks, and force PI compliance activities to occur on a deeper level.

The following table summarises key PI protection issues before and after the 2025 PIPCA Measures:

7. When creating compliance frameworks, auditability needs to be considered from the start

For businesses without a PI protection framework at this time, if they start to construct such a framework from the ground up, they should fully consider the requirements of Compliance Audits when designing their frameworks and may want to implement audit-friendly design principles, such as:

• The PI protection compliance framework should clearly include an audit framework, audit organisation, audit specifications, etc.;

• Funds and resources should be allocated for compliance audits;

• Forensics nodes should be embedded within business processes, document management, and index tag configurations to facilitate Compliance Audits and proactively mitigate the risk of evidence loss.

8. PI protection impact assessments need to be strengthened in connection with Compliance Audits

The promulgation of the 2025 PIPCA Measures will require businesses to re-examine their PI protection impact assessments (“PIPIA”) from the perspective of Compliance Audits. Under the 2021 PIPL, businesses that intend to process sensitive PI, implement automated decision-making, entrust the processing of PI, provide PI to third parties, publicly disclose PI, or make cross-border transfers of PI, should conduct a PIPIA before the PI is processed. Due to the lack of authoritative mandatory standards for PIPIA in practice, the PIPIA activities of businesses are often superficial and ineffective. After the promulgation of the 2025 PIPCA Measures, businesses face pressure to follow up on Compliance Audits and will need to prepare relevant evidence of follow-up activities for Compliance Audits.

9. Compliance costs are rising

Compliance auditing is a comprehensive, complex and highly specialised task. The full implementation of compliance audit requirements will undoubtedly increase the compliance costs of all types of businesses. In particular, SMEs that lack the budget to have in-house data compliance professionals or engage external professional bodies will face additional pressures. In the absence of strong regulatory requirements, some companies may ignore Compliance Audits or simply “go through the motions”, resulting in unresolved compliance risks.

10. Digital and automated solutions for Compliance Audits

Considering the complexity and structure of Compliance Audits, large businesses will have strong incentives to develop, procure or outsource compliance audit digitalisation and automation solutions to help them improve through technical means to increase the efficiency of Compliance Audits and reduce compliance audit costs. As such solutions mature and become more widely available, costs will drop significantly, benefiting small and medium-sized businesses.

1. When do I need to conduct a compliance audit?

Compliance Audits can be divided into two types: self-audits and passive audits.

• Self-audit: PI processors take the initiative to perform compliance audit obligations in accordance with the law (Article 54 of the 2021 PIPL, Articles 3 and 4 of the 2025 PIPCA Measures).

• Passive audit: In the course of performing its duties, the regulators require a PI processor to conduct a compliance audit in accordance with the law if it discovers that the PI processor has an information security incident or risk (Article 64 of the 2021 PIPL and Article 5 of the 2025 PIPCA Measures).

2. How often do Compliance Audits need to be done?

• Self-audit: PI processors that handle the PI of more than 10 million people shall conduct a Compliance Audit at least once every two years (Article 4 of the 2025 PIPCA Measures). The 2025 PIPCA Measures do not set out clear requirements on the frequency of Compliance Audits carried out by other PI processors on their own, and theoretically, these PI processors can determine the frequency of audits according to their own circumstances, but it is recommended that businesses have clear provisions on this internally and provide reasonable justification. However, it should be noted that, according to Article 37 of the Regulations on the Protection of Minors Online, "personal information processors shall, on their own or by entrusting a professional institution, conduct an annual compliance audit of their processing of minors' personal information in compliance with laws and administrative regulations, and promptly report the audit to the internet information and other departments". Therefore, if a company handles the PI of minors, it is required to conduct a compliance audit annually.

• Passive audit: When there is an information security incident or risk, a compliance audit shall be conducted in accordance with the requirements of the PI protection department (Article 5 of the 2025 PIPCA Measures).

3. What do I need to review in a compliance audit?

A Compliance Audit is a supervision activity that reviews and evaluates whether the PI processing activities of PI processors comply with laws and administrative regulations. (Article 2 of the 2025 PIPCA Measures). If an enterprise is involved in the processing of PI, it is required to audit the legality of its PI processing.

Businesses should conduct Compliance Audits in line with the Guidelines for Compliance Audits on Personal Information Protection (“2025 PIPCA Guidelines”; Article 6 of the 2025 PIPCA Measures) annexed to the 2025 PIPCA Measures (See Key Review Items under the 2025 PIPCA Guidelines below).

According to reports, the National Cybersecurity Standardisation Technical Committee (“TC260”) is developing several key standards and practice guidelines for Compliance Audits to support the 2025 PIPCA Measures. In July 2024, the committee issued a recommended national standard, Data Security Technology Personal Information Protection Compliance Audit Requirements (Draft for Comments) (See https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20240712162705&norm_id=20231220163619&recode_id=55772). If the standard is officially promulgated, it will become an important reference for businesses to carry out Compliance Audits.

4. Who is qualified to conduct Compliance Audits?

• Self-audit: PI processors' internal bodies may conduct Compliance Audits on their own, or may entrust professional institutions to conduct Compliance Audits (Article 3 of the 2025 PIPCA Measures).

• Passive audit: PI processors may only entrust a professional institution to conduct Compliance Audits (Article 5 of the 2025 PIPCA Measures).

5. What are the requirements of the 2025 PIPCA Measures for professional institutions that conduct Compliance Audits?

The 2025 PIPCA Measures do not restrict the types of professional institutions, so all types of institutions with compliance audit capabilities (such as law firms, accounting firms, scientific research institutions, etc.) can provide compliance audit services.

Professional institutions must have the ability to carry out Compliance Audits and have auditors, venues, facilities, and resources appropriate to the services (Article 7 of the 2025 PIPCA Measures).

Following the principle of voluntariness and marketisation, professional institutions can voluntarily participate in the certification (Per the CAC, during a press conference on the 2025 PIPCA Measures).

When engaging in Compliance Audit activities, professional institutions shall comply with laws and regulations, be honest and upright, and make professional judgments on compliance auditing fairly and objectively, and shall keep confidential PI, commercial secrets, confidential business information, and so forth obtained in the performance of Compliance Audit duties in accordance with law, and shall not disclose or illegally provide it to others, and promptly delete relevant information after the compliance audit work is completed (Article 13 of the 2025 PIPCA Measures).

Professional institutions must not subcontract other institutions to carry out Compliance Audits (Article 14 of the 2025 PIPCA Measures).

The same professional body, its affiliates, and the same person in charge of compliance audit must not conduct Compliance Audits for the same audit subject more than three times in a row (Article 15 of the 2025 PIPCA Measures).

6. Do I need to provide the results of the compliance audit to the government department?

• Self-audit: The 2025 PIPCA Measures do not explicitly require PI processors to voluntarily provide compliance audit reports to government departments, but the Protection Departments (CAC and other departments performing PI protection duties) have the right to supervise and inspect the Compliance Audit status of PI processors (Article 16 of the 2025 PIPCA Measures).

• Passive Audit:

  o   Where PI processors carry out Compliance Audits in accordance with the requirements of the Protection Departments, they shall submit the Compliance Audit report issued by the professional body to the Protection Departments after completing the compliance audit. Compliance Audit reports shall be signed by the person responsible for the professional body and the person in charge of compliance audit and affixed with the official seal of the professional body. (Article 10 of the 2025 PIPCA Measures)

  o   Problems found in Compliance Audits shall be rectified in accordance with the requirements of the Protection Departments. No later than 15 working days after rectification, a report on rectification shall be submitted to the Protection Departments (Article 11 of the 2025 PIPCA Measures).

7. Will a business bear legal liability for not conducting a Compliance Audit?

Yes, it will bear legal liability. Where a PI processor violates the 2025 PIPCA Measures, it is to be dealt with in accordance with the 2021 PIPL, the Regulations on the Management of Network Data Security 2024, and other laws and regulations. If a crime is constituted, criminal responsibility shall be pursued in accordance with the law (Article 18 of the 2025 PIPCA Measures).

Businesses that do not conduct Compliance Audits also face the risk of whistleblowers revealing their non-compliance. The 2025 PIPCA Measures stipulate that any organisation or individual has the right to complain and report illegal activities relating to the Compliance Audit to the Protection Departments. The Protection Departments receiving the complaint or report shall handle it promptly in accordance with the law, and inform the complainant or informant of the outcome (Article 17 of the 2025 PIPCA Measures).

8. What other important things in the 2025 PIPCA Measures require attention?

PI Protection Officer: The 2021 PIPL only has high-level requirements for businesses to appoint PI protection officers, and does not specify the specific conditions related to making appointments. The 2025 PIPCA Measures clearly stipulate that PI processors processing the PI of more than 1 million persons shall designate a person in charge of PI protection, who shall be responsible for the PI processor’s Compliance Audits (Article 12 of the 2025 PIPCA Measures).

Independent oversight bodies: PI processors that provide important internet platform services, have a large number of users, and have complex business types, shall establish an independent body composed primarily of external members to conduct oversight of Compliance Audits (Article 12 of the 2025 PIPCA Measures).

The 2025 PIPCA Guidelines, an annex to the 2025 PIPCA Measures, list in detail the matters to be reviewed in Compliance Audits, covering all aspects of the entire life cycle of PI processing. These matters need to be comprehensively reviewed during Compliance Audits, and additional review items can be added according to the actual situation.

According to reports, TC260 is developing several key standards and practice guidelines for Compliance Audits to provide guidance for the implementation of the 2025 PIPCA Measures. In July 2024, the committee issued a recommended national standard Data Security Technology Personal Information Protection Compliance Audit Requirements (Draft for Comments) https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20240712162705&norm_id=20231220163619&recode_id=55772), the standard. The recommended implementation requirements, working methods, and key audit items for Compliance Audits are listed. Once the standard is officially promulgated, it will provide an important reference for businesses carrying out Compliance Audits.

We will closely follow the development of relevant laws and regulations and national and industry standards and interpret them in a timely manner.